I’m a customer of Hover for my domain name needs. However, that will be changing because I don’t believe that they take issues seriously.
The first security issue I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the textfield. I noticed an error, and eventually crafted this url:
https://www.hover.com/domains/results?q=%27%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E
There’s nothing magical in that URL, however it demonstrated a real vulnerability in their code: